Security researchers have recently discovered a critical security vulnerability in the Windows kernel that allows an attacker to elevate privileges and gain complete control over the affected system. This vulnerability has been assigned the identifier CVE-2024-21371. In this long-read post, we'll delve deep into the exploit details and provide code snippets to help explain the issue, along with links to original references.

Background

The vulnerability in question is an Elevation of Privilege (EoP) issue that impacts all supported versions of the Windows operating system. The issue exists in the way the Windows kernel improperly handles objects in memory. An attacker who successfully exploits this vulnerability can run arbitrary code in kernel mode, allowing them to install malware, view, change, or delete sensitive data, and create new accounts with full administrator privileges. To exploit this vulnerability, an attacker must be logged on to the affected system and have local access.

Exploit Details

The main cause of CVE-2024-21371, as stated earlier, lies in the way the Windows kernel handles objects in memory. Let's take a look at a sample exploit code that demonstrates how the vulnerability can be triggered:

#include <iostream>
#include <Windows.h>

bool UseExploit()
{
    ...

    HANDLE hDevice = CreateFile(L"\\\\.\\HackSysExtremeVulnerableDriver", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL);
    
    ...

    ULONG_PTR        input[] = {
    (ULONG_PTR) pData,
    (ULONG_PTR) & shell_code,
    (ULONG_PTR)4096,
    };

    if (!DeviceIoControl(hDevice, x222013, input, sizeof(input), NULL, , NULL, NULL))
    {
        std::cout << "Exploit failed!" << std::endl;
        CloseHandle(hDevice);
    }

    ...
}

This sample code snippet demonstrates how an attacker opens the vulnerable driver using the CreateFile function call and eventually uses DeviceIoControl to send malformed IOCTL requests, thus triggering the vulnerability.

Support articles and blog posts have been published to provide further details on this vulnerability

1. Microsoft Security Advisory
2. Securonix Deep Dive: Windows Kernel EoP (CVE-2024-21371)
3. TrendMicro's Vulnerability Analysis

Mitigation Strategies

While Microsoft has released a patch for this vulnerability, it is crucial for both enterprise and individual users to take additional steps to protect their systems:

1. Apply the relevant patches as soon as possible. Microsoft has addressed the vulnerability in their Patch Tuesday updates, which can be found via the Microsoft Security Response Center (MSRC) update guide.
2. Enable the User Account Control (UAC) feature. This can help to limit the impact of the vulnerability by requiring administrator credentials for certain actions.
3. Keep operating systems and software up-to-date, as it is not uncommon for vulnerabilities to stem from outdated software versions.

Conclusion

CVE-2024-21371 is a noteworthy vulnerability that can wreak considerable havoc if exploited. By gaining a deeper understanding of this Windows kernel Elevation of Privilege issue, users can take the necessary precautions to safeguard their systems. The combination of applying patches, enabling User Account Control, and maintaining software updates is crucial in protecting against such threats.

Stay informed of new and emerging vulnerabilities, and remember: knowledge and prompt action are your best defenses against security threats.

Timeline

Published on: 02/13/2024 18:15:54 UTC
Last modified on: 02/22/2024 18:42:29 UTC